Attackers exploited StackExchange to upload multiple malicious Python packages to the open-source development platform PyPI, targeting cryptocurrency users involved with Raydium and Solana, popular blockchain tools developers pay for using crypto wallets.
In an Aug. 1 blog post, Checkmarx researchers said the attack on a sophisticated group of tech-savvy users was financially motivated. The multi-stage infostealer malware exfiltrated extensive sensitive data and led to the draining of the crypto wallets of the victims.
The researchers said the bad actors would post a seemingly helpful answer on a popular thread that referenced their malicious package, taking advantage of the trust developers have in community-driven open-source platforms.
“The focus on users of these platforms indicates a level of strategic thinking on the part of the attacker,” wrote the Checkmarx researchers. “By targeting this specific group, they positioned themselves to potentially intercept or manipulate high-value transactions, pointing to clear financial motives behind the attack.”
Eric Schwake, director of cybersecurity strategy at Salt Security, added that this attack on the Raydium and Solana blockchain communities demonstrated a sophisticated and well-researched approach by the attackers. Schwake said the attackers used deceptive tactics on StackExchange to trick users into downloading malicious packages that could potentially exploit API vulnerabilities within blockchain projects.
“This not only erodes trust in open-source repositories and community platforms, but also significantly impacts the community,” said Schwake. “The incident highlights the evolving threat landscape and the need for heightened security measures across the entire software supply chain. It emphasizes the need for a strong focus on API security to protect sensitive blockchain interactions.”
John Bambenek, president at Bambenek Consulting, pointed out that this campaign not only involved attempting to steal cryptocurrency wallets, it also tries to target tech-savvy users. Bambenek said Raydium, in particular, is a day trading tool of sorts that allows for automated activity. This means that users are both active in cryptocurrency trading and developing their own tools to do so in an automated manner.
“This library attempted to insert itself into that community and steal from them,” said Bambenek. “For users who are developing systems like this with open source technologies, without a significant brand behind them, it’s hard to really know if the repository you’re using is safe. That being said, none of the systems should be talking to the Telegram API, which is increasingly used in attacks like this, so looking for that behavior would provide an excellent opportunity for a high-fidelity breach detection.”
